By Megan Samford
Over the last two years, companies have championed new tools and solutions to help employees and customers navigate a new digital age. Remote work has turned the home office into an extension of the corporate network, increasing not only connectivity but also the cybersecurity attack surface. For organizations running manufacturing and production operations, the outcomes of a cyberattack can be even more significant with concerns for health and safety at the forefront.
In response, companies have made a sizable push to shore up their cybersecurity controls and frameworks to mitigate new risks, especially amidst recent warnings from the U.S. government asking companies to “harden their cyber defenses immediately” based on intelligence that the Russian government is exploring options for potential cyberattacks.
As companies look to step up cybersecurity efforts, it is imperative that the cybersecurity of operational technology (OT) systems be elevated along with IT systems – maybe now more than ever. How can organizations mitigate cyber threats to not just their IT systems, but also their OT (e.g., industrial automation control systems) and ultimately, critical infrastructure?
How do ensure that the cybersecurity programs do not stop short of production environments and industrial facilities? Here are five ways leaders can reduce a company’s cybersecurity risk and build a safer, stronger cyber network all the way down to the automation control systems:
1. Proactively build out cybersecurity controls in tandem with new digital tools. With working situations changing day to day at the beginning of the pandemic, being proactive was a difficult task. We owe a debt of gratitude to the many IT professionals who stepped up to provide digital tools for their enterprises so quickly. But now adjusted to new ways of working, the time for proactivity is back. When deploying new technology, make sure that the tools integrate seamlessly with your cybersecurity controls from the get-go. While it may be an investment up front, it will help your company save both time and money later.
2. Back-up all company data for easy restoration if targeted by ransomware. If your company falls victim to a cyberattack demanding ransom, it is important to be able to launch a clean data wipe. In this case, the ransomware can be eliminated, and the data restored from back-ups quickly. This negates the need to consider paying a ransom in time-sensitive situations. Every minute is important once hit with ransomware – for example, a water treatment plant has little time to correct dangerous levels of chemicals during the treatment process when populations continue to rely on water availability. By ensuring that data is backed up, you can act quickly to remedy the situation without ethical or financial concerns.
3. Prioritize OT security just as much as IT security. OT is often overlooked by enterprises beginning to shore up their cybersecurity approaches. However, the security of your OT environment is essential to the overall health of your enterprise – especially in areas of critical infrastructure. OT devices on machines, industrial equipment and production lines have become internet-accessible thanks to convergence with IT devices. This not only provides connectivity within an IT/OT environment but also introduces additional vulnerabilities that cyberattacks can exploit if not properly protected.
4. Consider the cybersecurity frameworks used by your customers or suppliers. A cybersecurity network is made strong by protected connectivity. Matching your systems to those of your supply chain partners and customers creates a chain that is far less vulnerable to attack than one without continuity by making certain that there are no gaps in your systems that pick-up vulnerability in theirs. For example, make sure the cybersecurity controls used on a machine provided to you by an outside equipment builder match those in your existing automation control systems.
5. Align your approach with proven cybersecurity standards when applying controls. When looking for a place to start, turn to popular cybersecurity standards for guidance on building a security framework. These standards provide an opportunity to align your enterprise with proven guidelines designed to promote cost-effective, efficient security by mapping out the necessary areas of focus. For example, ISA/IEC 62443 is a set of cybersecurity standards, endorsed by the United Nations, that has been crafted in tandem with leaders in the IT/OT space across the globe. 62443 can help you manage risks consistently, setting a foundation for your company’s success.
Cybersecurity is a rapidly evolving issue as digitalization continues to change the way that work and digital transformation introduces new technology into operational environments. The key to fostering a healthy cybersecurity environment is being proactive about solutions and staying aware of best practices for your cybersecurity approach. By employing a standardized system and building in protections, can give industry the tools to feel confident in the enterprise’s security.
Megan Samford, ISA Global Cybersecurity Alliance Chairperson and Chief Product Security Officer, Energy Management at Schneider Electric. To learn more about industry standards for the cybersecurity of industrial automation control systems, visit ISA Global Cybersecurity Alliance | ISA.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.